Browser hijacking programs can redirect users to pornographic websites. But could these malicious programs also lead to false accusations of possession of child pornography?
Malware such as CoolWebSearch (AKA CWS) can change browser start-up and search pages and generate pop-up pages - often punting illegal pornographic websites - on infected PCs. The program exploits IE vulnerabilities to slither onto unpatched PCs. Users would normally have to visit dodgy websites to get infected but it's easy to see how xxx rated spam email received and auto-executed through unpatched versions of Outlook could result in unwitting infection.
The end result would be the URL of borderline-criminal websites appearing in the history file of Net users. And how are spouses or employers to interpret this?
Wired this week carried an illuminating article, quoting several people who claimed their good reputation was threatened because browser hijacking programs had left indications of visits for porn websites on their PCs.
In one case, a Russian-born US resident called 'Jack' (not his real name) said he was forced to confess to child pornography offences on the basis of material he claims may have been deposited on his PC by a browser-hijacking program.
Jack may well have been railroaded in the case and there are issues about how evidence was handled. The chain of custody of the suspect PC, for example, is one area of particular concern. Wired quotes the conclusion of Brian Rothery, a former IBM systems engineer who researched Jack's claims, that "evidence wasn't handled properly".
However, the browser hijack explanation fails to adequately explain how some of the images appeared in locations not used for normal browsing sessions, Wired reports. The location of material and access times of content gives vital clues for investigators. If material is accessed after it is downloaded, especially at a time when a PC is offline, then this points towards a suspect's guilt.
It is straightforward to determine if the possession of illegal content is caused by browser hijacking, according to Neil Barrett, technical director of security consultancy IRM, and a veteran expert witness in numerous computer crime cases.
"Unless there is an exploit, material would only appear within the browser context. If illicit material was found on a PC a prosecution could be initiated but analysis is straightforward. It would leap up at a computer forensics expert that a pop-up was responsible for the content found," he said.
Police won't be blindsided
Some child pornography cases have been dismissed after suspects testified that a Trojan horse infection on their PCs could have downloaded without their knowledge (example here and here). According to Barrett, police were unable to counter defence arguments that a Trojan was responsible for the dodgy content found on a PC in these cases because they didn't know enough about what it did. This won't happen again in future. he said.
UK police now routinely check for Trojans on seized computers. In future, police will take virus infection into account in preparing evidence for court. Just because a virus is found on a PC doesn't mean someone is innocent of a computer crime and doesn't necessarily undermine the value of any other evidence recovered. "Police won't be blindsided by any Trojan defence in future," Barrett said.
So skilled and ethical investigators can determine if malicious code - and not salacious urges - explains the presence of dodgy content on PCs. Relying on this safety net is hardly sensible, though. The best approach for Joe Punter is to prevent such content getting onto his PC in the first place. This is yet another reason to use an updated version or IE and Outlook or (easier) to consider using alternative browsers and email clients. ®